General
-
Target
iko.exe
-
Size
658KB
-
Sample
241025-bta7cs1ckk
-
MD5
bdd25c05b8c552bc9ebdff164f70211c
-
SHA1
4a2617221a6160aaf0030e1df09e84ef60d25416
-
SHA256
62ab603ef02915c38aed4b33425e290de8b2a9fd6ce1a51e3147e91cea4571a5
-
SHA512
7f47d632f51128b002a968ccf38a15ef79ddc987603877bb737f204b4c7b3552a91f20ed172ae8886d51992277be5263c1a12c5d569f773c0d6e433c73eed86b
-
SSDEEP
12288:S9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hl:+Z1xuVVjfFoynPaVBUR8f+kN10EBP
Malware Config
Extracted
darkcomet
Guest16_min
0.tcp.us-cal-1.ngrok.io:13156
DCMIN_MUTEX-R33QYFH
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
iQGE1xMHoLNS
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Targets
-
-
Target
iko.exe
-
Size
658KB
-
MD5
bdd25c05b8c552bc9ebdff164f70211c
-
SHA1
4a2617221a6160aaf0030e1df09e84ef60d25416
-
SHA256
62ab603ef02915c38aed4b33425e290de8b2a9fd6ce1a51e3147e91cea4571a5
-
SHA512
7f47d632f51128b002a968ccf38a15ef79ddc987603877bb737f204b4c7b3552a91f20ed172ae8886d51992277be5263c1a12c5d569f773c0d6e433c73eed86b
-
SSDEEP
12288:S9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hl:+Z1xuVVjfFoynPaVBUR8f+kN10EBP
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1